# k8s使用config-syncer(kubed)同步secret ## 集群内同步 ### 使用argocd 部署 config-syncer(kubed) ``` apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: dev-config-syncer namespace: cicd spec: destination: name: cloud-k8s-test namespace: kube-system project: dev-config-syncer source: chart: kubed helm: valueFiles: - values.yaml repoURL: https://charts.appscode.com/stable/ targetRevision: v0.13.2 ``` ### 在kube-system 创建源 secret/configmap 配置 略 ### 源 Secret 设置 `kubed.appscode.com/sync` Namespace Selector 注解 ``` kubectl annotate secret netwarps-com-tls kubed.appscode.com/sync="tls=netwarps" -n kube-system kubectl annotate secret registry-pld-cicd kubed.appscode.com/sync="registry=registry-pld-cicd" -n kube-system ``` ### 同步目标namespace 设置对应label ``` for ns in adminer-system bigphoto elastic-system geth ipfs nft tekton-pipelines do kubectl label namespace $ns tls=netwarps kubectl label namespace $ns registry=registry-pld-cicd done ``` ### 查看同步的registry secret ``` kubectl get secret -A |grep registry-pld-cicd adminer-system registry-pld-cicd kubernetes.io/dockerconfigjson 1 13m bigphoto registry-pld-cicd kubernetes.io/dockerconfigjson 1 13d elastic-system registry-pld-cicd kubernetes.io/dockerconfigjson 1 13m geth registry-pld-cicd kubernetes.io/dockerconfigjson 1 13m ipfs registry-pld-cicd kubernetes.io/dockerconfigjson 1 13m kube-system registry-pld-cicd kubernetes.io/dockerconfigjson 1 15m nft registry-pld-cicd kubernetes.io/dockerconfigjson 1 34d tekton-pipelines registry-pld-cicd ``` ### 清理集群内同步的secret,谨慎操作,会同步删除集群内所有关联secret ``` # kubectl annotate secret netwarps-com-tls kubed.appscode.com/sync- -n kube-system # kubectl annotate secret registry-pld-cicd kubed.appscode.com/sync- -n kube-system ``` ## 跨集群同步 ### 使用argocd 部署 config-syncer(kubed) **注:默认的config-syncer 跨集群同步,不支持rancher 代理的k8s cluster api地址, 相同的域名端口会被误判为同一个集群,导致同步失败,下面部署用的config-syncer 镜像是我修改过代码支持了rancher 代理后重新制作的docker 镜像** ``` quay.io/netwarps/kubed@sha256:05e894200d732407763c552ce81633b79e63f7c6e7aaee5fcc7a13e1e1660b4c ``` 完整argocd 部署 `prod-config-syncer.yaml` 如下:(部署到和rancher 相同k8s 集群,同步时使用rancher 内部代理后的k8s地址) ```yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: prod-config-syncer namespace: cicd spec: destination: name: cloud-hk-kugga-prod namespace: kube-system project: prod-config-syncer source: chart: kubed helm: parameters: # 默认为unicorn,同步后会打入同步后对应配置的label - name: config.clusterName value: cloud-hk-kugga-prod - name: logLevel value: "5" - name: operator.tag value: 05e894200d732407763c552ce81633b79e63f7c6e7aaee5fcc7a13e1e1660b4c - name: operator.registry value: quay.io/netwarps - name: operator.repository value: kubed@sha256 valueFiles: - values.yaml values: |- config: kubeconfigContent: |- apiVersion: v1 kind: Config clusters: - name: "geth-uat-k8s" cluster: insecure-skip-tls-verify: true server: "https://rancher.cattle-system.svc/k8s/clusters/c-m-xxxxxxxx" - name: "geth-prod-k8s" cluster: insecure-skip-tls-verify: true server: "https://rancher.cattle-system.svc/k8s/clusters/c-m-xxxxxxxx" - name: "cloud-k8s-test" cluster: insecure-skip-tls-verify: true server: "https://rancher.cattle-system.svc/k8s/clusters/c-m-xxxxxxxx" users: - name: "geth-uat-k8s" user: token: "kubeconfig-u-gdwznkhv4p:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - name: "geth-prod-k8s" user: token: "kubeconfig-u-gdwzng6j9j:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - name: "cloud-k8s-test" user: token: "kubeconfig-u-v5rjddpgpx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" contexts: - name: "geth-uat-k8s" context: user: "geth-uat-k8s" cluster: "geth-uat-k8s" - name: "geth-prod-k8s" context: user: "geth-prod-k8s" cluster: "geth-prod-k8s" - name: "cloud-k8s-test" context: user: "cloud-k8s-test" cluster: "cloud-k8s-test" repoURL: https://charts.appscode.com/stable/ targetRevision: v0.13.2 ``` ### 在kube-system 创建源 secret/configmap 配置 略 ### 配置跨集群secret同步的集群(默认同步kube-system namespace) ``` kubectl annotate secret netwarps-com-tls kubed.appscode.com/sync-contexts="cloud-k8s-test,geth-uat-k8s,geth-prod-k8s" -n kube-system kubectl annotate secret registry-pld-cicd kubed.appscode.com/sync-contexts="cloud-k8s-test,geth-uat-k8s,geth-prod-k8s" -n kube-system ``` **注:相关配置只同步到指定目标k8s 集群的 kube-system namespace ,如果需要同步其它namespace 参考集群内同步配置** ### 配置集群内同步的secret ``` kubectl annotate secret netwarps-com-tls kubed.appscode.com/sync="tls=netwarps" -n kube-system kubectl annotate secret registry-pld-cicd kubed.appscode.com/sync="registry=registry-pld-cicd" -n kube-system ``` ### 清理跨集群secret同步的集群,谨慎操作,会同步删除关联目标集群secret ``` # kubectl annotate secret netwarps-com-tls kubed.appscode.com/sync-contexts- -n kube-system # kubectl annotate secret registry-pld-cicd kubed.appscode.com/sync-contexts- -n kube-system ``` ## 参考: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://liujinye.gitbook.io/openshift-docs/config-syncer/k8s-shi-yong-configsyncerkubed-tong-bu-secret.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.